Selling ransomware breaches: Four trends spotted on the RAMP forum
The sale and purchase of unauthorised access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. Underground forums are sharing guidelines on breaching networks and selling the access they obtain, leaving the exploitation to other malicious actors.
On underground criminal forums, these transactions allow actors with complementary skills to collaborate, amplifying the impact and reach of cyberattacks. The market for such access has grown notably, especially as ransomware operators increasingly employ double-extortion tactics. A foothold in a victim's network, with credentials that enable stealthy operations, has never been a more lucrative — and popular — business model.
Organisations across all sectors and regions are vulnerable and a target. The collective shift to remote work during the COVID-19 pandemic has expanded the attack surface, as more remote access tools remain in use to this day. In our Rapid7 2024 Attack Intelligence Report, we noted that 36% of all widespread threat events we tracked in 2023 involved the exploitation of network edge device vulnerabilities. This trend has continued into 2024.
In this article, we delve into a major forum frequented by ransomware actors and affiliates called RAMP. As part of our research for the Rapid7 Ransomware Radar Report, we analysed RAMP postings offering corporate access across the first six months of 2024, surfacing four key trends within this underground marketplace.
The forum: RAMP
Re-launched/branded in July 2021, the RAMP (Ransomware and Advanced Malware Protection) forum is an underground cybercriminal hub originally known as Payload.bin, tracing its roots back to 2012 when it first operated on the Tor network. With a primary focus on ransomware, RAMP is a multilingual platform catering to Russian, Chinese, and English speakers and boasts over 14,000 registered members. Access to RAMP is highly restricted; potential users must have been active members on the XSS and Exploit forums for at least two months, have posted at least ten times, and maintain a good reputation, or alternatively, pay a $500 registration fee for anonymity.
RAMP is both a forum and a marketplace, offering ransomware kits, malware, and stolen data while also providing comprehensive guides and tutorials for cyberattacks. It facilitates ransomware-as-a-service operations, enabling affiliates to deploy ransomware for a share of the profits. Despite its high registration fee, a stark contrast to the $120 annual fee for premium XSS users, RAMP's closed community is a critical resource for many threat actors. The forum's design mimics Silk Road-like darknet markets, including escrow features, and it operates primarily off-the-record to avoid law enforcement detection. Its administrator claims an annual revenue of around $250,000, benefiting from its predominantly Russian user base and a strict policy against selling certain illegal goods and services.
Selling Access
To investigate the trends and context around the selling of access into corporate networks, we analysed all the postings on the RAMP forum from 1 Jan to 30 June 2024. Some of these posts were cross-posted on other underground forums too. In most cases, the initial access was mentioned and/or the price asked. Where this data was not available, we classified that as 'unknown' in our dataset for analysis.
We discovered four trends:
Trend #1: Country Distribution
The United States leads the pack with the highest number of entries referencing the country of the company attackers have credentials or access to, followed by France and Brazil. Companies based in Western countries command a higher price due to their perceived wealth and easier access to resources for payment, so what we're seeing thus far in 2024 is what would be expected. The only exception to this is Brazil, likely due to Brazilian affiliates that target larger Brazilian businesses.
Trend #2: Revenue Distribution
One of the variables that determine the asking price for network access is the revenue made by the target. Very often, sites like ZoomInfo are used to look up the annual revenue, which is then mentioned in the posting.
We observed a broad range of revenue values within the RAMP dataset, where some entries specified exact amounts and others used ranges. A significant number of entries included revenues in the millions, particularly around $5 million USD.
In fact, companies with revenues in the $5 million range appeared twice as often as those in the $30-50 million range and five times more frequently than those with a $100 million revenue. This could indicate that such companies are large enough to hold valuable data but perhaps not as well protected as larger corporations. Regardless, this finding shows that companies with $5 million in revenue are attractive targets and represents an interesting shift from access brokers only targeting the "big fish."
Trend #3: Access Type Distribution
How are threat actors getting in? Our analysis shows that Remote Desktop Protocol (RDP) is the most common access type, followed by VPN, which presents a greater possibility of remaining undetected. That, in combination with the level of access (user or privileged user), demands a higher price.RDP is often used for remote work and system management, and it can be a significant vulnerability if not properly secured. The prevalence of RDP underscores the importance of securing remote access points.
As noted in Rapid7's 2024 Attack Intelligence Report, missing or unenforced multi-factor authentication (MFA) gave rise to 41% of the incidents Rapid7 MDR observed in 2023. Companies should ensure robust security measures like MFA and proper network segmentation to protect RDP endpoints. Also, if we consider the combined value of VPN and such technologies, then the trend of targeting network edge devices will certainly continue.
Trend #4: Price Distribution
Many RAMP entries list unknown prices. Among the known prices, amounts like $500, $800, and $1000 are common. Company revenue, headquarter location, and the type of access are each a basis for how the threat actor formulates their asking price, which can range widely based on the perceived value of the target network. It is common for prices to spike based on the specific attributes of the target (e.g., revenue, security posture, type of data accessible).
Our analysis highlights key areas of concern for companies looking to protect themselves against access brokers. Businesses in the US, France, and Brazil, as well as those with revenues around $5 million, should be particularly vigilant. Securing remote access points, investing in robust solutions, and understanding the pricing dynamics of the black market for network access can help companies bolster their defences against this pervasive threat.
By staying informed about these and other ransomware trends, businesses can better understand the risks and implement effective measures to safeguard their networks against unauthorised access.